SB2023062847 - Multiple vulnerabilities in Red Hat Single Sign-On 7.6

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Code Injection (CVE-ID: CVE-2021-39144)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in xStream. A remote attacker can pass specially crafted XML data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Cross-site scripting (CVE-ID: CVE-2022-4361)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the SAML or OIDC providers in Keycloak due to insufficient sanitization of user-supplied data passed via the AssertionConsumerServiceURL value or the redirect_uri. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Infinite loop (CVE-ID: CVE-2023-1108)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop caused by an unexpected handshake status updated in SslConduit. A remote attacker can consume all available system resources and cause denial of service conditions.

4) Improper Certificate Validation (CVE-ID: CVE-2023-1664)

The vulnerability allows a remote attacker to bypass client certificate validation.

The vulnerability exists due to improper certificate validation when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A remote attacker with ability to directly connect to Keycloak (e.g. not via the reverse proxy) can bypass certificate validation and gain unauthorized access to the application.

Successful exploitation of the vulnerability requires that there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE, which results in accepting any certificate with the logging information of "Cannot validate client certificate trust: Truststore not available".

5) Improper certificate validation (CVE-ID: CVE-2023-2422)

The vulnerability allows a remote user to bypass authorization process.

The vulnerability exists due to improper certificate validation chain when a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients. A remote user that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients.

6) Authentication Bypass by Spoofing (CVE-ID: CVE-2023-2585)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error within the Keycloak Device Authorisation Grant. A remote attacker can spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.

7) Input validation error (CVE-ID: CVE-2023-24329)

The vulnerability allows a remote attacker to bypass implemented filters.

The vulnerability exists due to insufficient validation of URLs that start with blank characters within urllib.parse component of Python. A remote attacker can pass specially crafted URL to bypass existing filters.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2023:3892
• https://access.redhat.com/errata/RHSA-2023:3888